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Abstract 

A  message  in  a  protocol  is  said  to  have  a  type-flaw  if  it 
was  created  with  some  intended  type,  but  is  later  received 
and  treated  as  a  different  type.  A  type-flaw  guessing  attack 
is  an  attack  where  a  password  is  guessed  and  verified  by 
inducing  type-flaws  in  a  protocol. 

Heather  et  al.  [HLSOO]  prove  that  attacks  that  use  type- 
flaws  can  be  prevented  if  honest  agents  tag  messages  with 
their  intended  types.  However,  their  tagging  scheme  can  not 
be  used  in  a  password  protocol  since  it  allows  a  guess  to  be 
directly  verified  using  the  tags  inside  password  encryptions. 

In  this  paper  we  prove  that  following  a  modification  of 
Heather  et  al.’s  scheme  most  type-flaw  guessing  attacks  can 
still  be  prevented. 


1  Introduction 

Numerous  protocols  have  been  introduced  to  initialize 
security  services  for  protocol  users.  One  of  the  goals 
of  these  protocols  is  authentication  of  a  sender’s  identity. 
There  exists  a  class  of  protocols  called  password  protocols, 
that  use  user  chosen  passwords  for  authentication.  If  these 
protocols  are  not  designed  well,  they  may  be  subject  to 
guessing  attacks  [GLNS93];  here  an  attacker  can  learn  the 
password  by  guessing  it  and  verifying  the  guess  using  the 
messages  in  the  protocol. 

A  message  in  a  protocol  is  said  to  have  a  type-flaw  if 
it  was  created  with  an  intended  type  but  is  later  received 
and  treated  as  a  different  type.  For  example,  receiving  a 
nonce  and  treating  it  as  though  it  was  an  agent’s  identity.  A 
type-flaw  guessing  attack  is  an  attack  where  a  type  flaw  is 
induced  in  a  protocol  to  enable  a  password  guessing  attack. 


*We  dedicate  this  paper  to  Late  Professor  Roger  Needham.  This  work 
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1.1  Type-Flaw  Guessing  Attacks 

Consider  the  following  protocol  we  discussed  in  [?]: 
Msg  1.  A  >  H  '. 

Msg2.  A:  {NB,{K2}K}pab 
Msg3.A^B:  {NB}k,. 

A  type-flaw  guessing  attack  is  possible  against  this  pro¬ 
tocol.  During  the  on-line  phase  of  the  attack,  the  attacker 
performs  the  following  communication  with  A  (we  write 
I{x)  when  the  attacker  impersonates  honest  agent  x): 

Msg  1.  A  >  r(i?)  .  Wk^pk(B)^ 

Msg  2.  I{B)  >  A  :  {{k}pk{B)}k}pab 

Msg3.  A  ^  I{B)  :  {{k}pk(B)}{k}^,,(s)- 

In  message  2,  attacker  replays  message  1  back  to  A,  caus¬ 
ing  a  type-flaw.  A  cannot  detect  this  type-flaw  and  hence 
responds  by  sending  message  3. 

Attack:  The  attacker  goes  off  line  and  begins  guessing 
values  for  pab.  Using  a  guess  he  decrypts  message  1  with 
the  guess,  splits  it,  and  takes  the  first  part  ({k}pk(B))  out 
of  it.  He  can  then  decrypt  message  3  with  the  this  value  to 
obtain  it  {k}pk(B)  again,  thereby  verifying  the  guess.  This 
guessing  attack  is  possible  because  the  attacker  tricked  A 
into  sending  redundant  information  in  message  3  [?]. 

Observe  that  this  attack  is  not  possible  if  A  can  detect 
the  type-flaw  in  message  2.  Tagging  messages  1  and  2  will 
enable  this  detection,  but  can  also  enable  the  guessing  attack 
unless  we  are  careful. 

1.2  Tagging  to  Prevent  Type  Flaw  Attacks 

Heather  et  al.  in  [HLSOO]  proved  that  attacks  involving 
type-flaws  can  be  prevented  if  all  messages  are  tagged  with 
their  types.  For  example,  in  their  scheme,  a  nonce  na  should 
be  tagged  as  (nonce,  na),  an  agent’s  identity  a  as,  (agent,  a) 
and  so  on. 

However,  there  is  a  problem  with  Heather  et  al.’s  solu¬ 
tion.  Consider  the  message: 
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Therefore,  we  prove  that: 


An  attacker  can  attempt  a  guessing  attack  by  guessing 
the  password  passwd{a,  b).  For  example,  if  the  user  name 
is  “Arnold  Schwarzenegger”,  “terminator”  wouldn’t  be  a 
bad  guess  for  passwd{a,  b).  If  the  attacker  knows  na,  he 
can  decrypt  {na}passwd(a,b)  with  “terminator”  to  see  if 
it  matches  the  na  he  knows.  If  so,  that  verifies  the  guess. 
Otherwise,  he  can  try  using  another  guess. 

Note  that  this  attack  is  not  feasible  if  the  attacker  does 
not  know  no  initially.  But  consider  the  same  message  using 
Heather  et  al.’s  scheme  of  type-tagging: 

{nonce, 

The  attacker  can  decrypt  with  the  guess  and  see  if  there 
is  the  tag  “nonce”  in  it.  If  so,  that  would  directly  verify 
the  guess.  He  doesn’t  even  need  to  know  no!  Therefore, 
Heather  et  al.’s  solution  against  type-flaw  attacks  cannot  be 
used  in  password  protocols. 

1.3  Tagging  to  Prevent  Type-Flaw  Guessing  At¬ 
tacks 

We  have  run  into  a  classic  security  problem:  one  security 
solution,  tagging  to  prevent  type-flaw  attacks,  introduces  a 
new  problem,  enabling  of  non  type-flaw  guessing  attacks. 

In  this  paper,  we  address  this  problem  by  modifying  the 
tagging  scheme.  We  prove  that  if  we  follow  Heather  et 
al.’s  scheme  but  avoid  type-tags  inside  terms  encrypted  with 
passwords,  most  the  type-flaw  guessing  attacks  can  still  be 
prevented. 

The  only  type-flaw  that  our  modified  scheme  fails  to 
prevent  is  the  following:  a  password  encrypted  term,  say 
{ml}passwd(a,b)  being  received,  expecting  to  be  of  the  form 
{m2}passwd(a,b)  with  ml  and  m2  having  different  types 
(ideally).  We  will  have  more  to  say  about  this  case  in  the 
Conclusion. 

2  Proof  Strategy 

We  introduce  a  modified  version  of  Heather  et  al.’s  tag¬ 
ging  scheme  that  prevents  most  type-flaw  guessing  attacks 
and  does  not  add  redundancy  that  enables  normal  guessing 
attacks.  We  prove  this  claim  following  a  model  and  proof 
structure  very  similar  to  Heather  et  al.  [HLSOO]. 

Our  main  aim  is  to  prove  the  following: 

Whenever  there  is  a  guessing  attack  on  a  protocol 
using  our  tagging  scheme,  there  is  an  equivalent 
guessing  attack  when  there  are  no  type-flaws  in 
the  protocol. 

'Here  na  is  a  nonce;  {rra}passtu[i(a,i))  represents  na  encrypted  with 
passwd(a,  b). 


Whenever  there  is  a  guessing  attack  on  a  proto¬ 
col  using  our  tagging  scheme,  there  is  an  equiva¬ 
lent  guessing  attack  when  all  fields  are  correctly 
tagged. 

An  off-line  guessing  attack  is  characterized  by  two  factors: 

•  The  protocol  run  (an  attacker  can  actively  participate 
in  the  protocol  run,  inducing  type-flaws,  but  doesn’t 
use  a  guess); 

•  Attacker  inferences  from  the  set  of  messages  in  the 
protocol  run  that  enable  him  to  verify  a  guess. 

Therefore,  in  order  to  prove  our  main  claim,  we  need  to 
prove  two  things: 

1.  If  an  attacker  participates  in  a  protocol  run  C  that  uses 
our  tagging  scheme,  then  an  equivalent  protocol  run 
C"  can  be  visualized  in  which,  every  field  is  correctly 
tagged; 

2.  If  the  attacker  can  verify  a  guess  from  the  set  of  mes¬ 
sages  in  C,  then  he  can  also  verify  a  guess  from  C" . 

We  use  the  main  result  from  [HLSOO]  for  point  1  above. 
Our  only  modification  to  their  model  is  the  following:  We 
consider  all  weak  encryptions  (terms  encrypted  with  pass¬ 
words)  as  if  they  were  just  another  type  of  atomic  ele¬ 
ments  such  as  nonce,  agent  etc.  We  associate  a  generic  tag 
“wenc”  for  weak  encryptions.  We  introduce  their  protocol 
model  and  state  their  main  result  in  section  3. 

For  point  2  above,  we  use  the  definition  for  guessing  at¬ 
tacks  from  [?]  and  show  that,  whenever  a  guess  is  verifiable 
from  C,  then  it  is  also  verifiable  from  C .  This  is  covered 
in  section  4. 

3  Proof  Part  1:  Heather  et  al.’s  Protocol 
Model  and  Main  Result 

In  this  section  we  reiterate  the  model  and  main  results  of 
Heather  et  al.’s  [HLSOO]  tagging  scheme  in  the  context  of 
our  modification. 

3.1  Message  Structure 

3.1.1  Tags,  Facts  and  Taggedfacts 

The  main  message  element  is  a  taggedfact.  It  is  a  combi¬ 
nation  of  a  tag  and /act,  written  as  {tag,  fact).  The  idea  is 
that  the  tag  represents  the  “type”  of  the  fact. 

TaggedFact  ::=  Tag  x  Fact. 
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Message  structures  are  divided  into  atoms,  pairs  and  en¬ 
cryptions.  An  atom  is  an  indivisible  element.  Sets  of  atoms 
are  grouped  together  as  Agent,  Nonce,  Pubkey  and  so 
on.  The  tags  for  elements  of  the  these  sets  are  given  obvi¬ 
ous  names  such  as  agent,  nonce  etc.  In  our  modification 
we  add  the  set  W enc  to  Atoms  to  represent  “weak  encryp¬ 
tions”.  The  corresponding  tag  is  wenc.  We  treat  weak  en¬ 
cryptions  as  an  “abstract  type”.  We  will  talk  more  about  this 
set  as  we  progress  in  the  paper. 

A  pair  tag  is  associated  with  concatenation  of  two  tagged 
facts.  The  tag  enc  is  associated  with  encryptions  together 
with  the  collection  of  tags  for  the  elements  inside  the  en¬ 
cryption  and  a  tag  for  the  key. 

Tag  ::=  agent  |  nonce  |  wenc  |  . . .  |  pair  |  enc  Tag*  Tag 

Fact  ::=  Atom  \  PklRTaggedFactTaggedFact 
I  ENCRYPT  Tag  Tag gedF act  Fact 

An  atomic  fact  a  of  type  “agent”,  associated  with  the  cor¬ 
responding  tag  agent  is  written  as  (agent,  a).  The  pairing, 
PAIR  tfl  tf2  is  written  as  (f/i,  f/2)-  When  this  is  associ¬ 
ated  with  its  corresponding  tag,  “pair”,  this  is  written  as 
(pair,  (tfi,tf2))-  PAIR  PAIR  tfi  tf2  tf^  should  actually 
be  ((f/i,  f/a),  f/a);  but  it  is  simply  written  as  (t/i,  f/2,  f/a) 
in  order  to  avoid  notational  clutter,  since  it  is  unambigous. 
A  tagged  fact  tf  encrypted  with  a  key  k  using  an  algorithm 
kt  is  written  as  A  tag  for  an  encryption,  going  by 

the  grammar,  would  look  like  enc  <  ti,t2,  ■  ■  ■  ,tn  >  kt 
where  ti,t2,  ■  ■  -  tn  the  collection  of  tags  for  the  facts  in¬ 
side  the  encryption  and  kt  is  the  tag  for  the  key.  This  tag  is 
written  in  a  simpler  notation  as  {|fi,  ^2,  •  ■  • ,  fn|}fct-  It  is  as¬ 
sumed  that  the  tag  for  the  key  contains  enough  information 
regarding  the  type  of  the  key  (public -key  or  shared-key  etc.) 
and  the  encryption  algorithm  used  (RSA,  DBS  etc.) 

We  extend  this  message  structure  by  defining  the  struc¬ 
ture  of  atoms  of  type  wenc  as  below: 

SubWenc  ::=  Atom  \P klR  Subw enc  Subw enc 
I  ENCRYPT  Tag  TaggedFact  Fact 
Wenc  ::=  ENCRYPT  S  ubw  enc  Weak  Key 

By  defining  such  a  structure,  we  imply  that  no  facts  in¬ 
side  a  weak  encryption  is  associated  with  a  tag.  We  will  call 
the  set  of  all  such  facts  as  Subwenc.  We  assume  that  hon¬ 
est  agents  follow  such  a  structure  before  encrypting  with  a 
weak  key  (fairly  realistic  since  otherwise,  as  explained  be¬ 
fore,  the  tags  themselves  would  verify  a  guess). 

We  split  keys  into  sets  called  Strongkeys  and  Weakkeys, 
depending  on  the  application  of  the  function  to  generate  the 
keys.  For  example  application  of  Passwd  gives  a  weak  key. 


In  contrast  a  function  PublicKey  gives  rise  to  a  strong  key. 
We  will  talk  more  about  function  applications  in  section  3.2. 
Projections  are  defined  on  tagged  facts  as: 

{t,f)i=t,{t,f)2  =  f. 

A  version  of  the  perfect  encryption  assumption  is  as¬ 
sumed,  whereby  honest  agents  are  capable  of  knowing  if 
they  decrypted  an  encryption  correctly  [?]. 

3.1.2  Subtaggedfacts 

In  the  following  definition,  we  introduce  the  subfact  relation 
denoted  by  ‘C’  to  refer  to  subtaggedfacts  of  a  tagged  fact. 

Definition  1.  The  subfact  relation  is  the  smallest  relation 
on  tagged  facts  such  that: 

1.  tf  C  tf; 

2.  tf  C  {t,  {tfl,  tf2))  iff  tf  C  tfl  y  tf  d  tf2; 

3.  tf  d  {t,{tf'}k)  iff  tf  d  tf. 

Such  a  relation  is  also  lifted  to  refer  to  sub-untagged- 
facts  of  a  tagged  fact.  i.e.  f  d  tf  if  {t,  f)  d  tf  for  some 
tagf. 

3.1.3  Correct  Tagging 

A  tagged  fact  is  said  to  be  correctly  tagged  if  it’s  tag  repre¬ 
sents  the  true  type  of  the  associated  fact.  A  function  “well- 
tagged”  is  defined  inductively  over  the  structure  of  tags  to 
represent  correct  tagging: 


well-tagged(agent,  x) 

<;4> 

X  G  Agent, 

well-tagged)  nonce,  x) 

<;4> 

X  G  Nonce, 

well-tagged(wenc,  x) 

<;4> 

X  G  Wenc, 

well-tagged)  pair,  x) 

<;4> 

3f/i, 

tf2  ■  TaggedFact  .  a;  =  PAIR  f/i  f/2  A 
well-tagged  tfi  A  well-tagged  tf2 , 

well-tagged({|fs||fct, x)  3tf  :  TaggedFact; 

k  :  Fact  .  x  =  {tf}f  A  well-tagged(f/) 

A  well-tagged(fcf,  k)  A  ts  =  get-tags  tf. 

where  get-tags  returns  the  collective  sequence  of  tags  inside 
an  encryption,  defined  as: 

get-tags(pair,  {tfl,  f/a))  =  get-tags  tfW  get-tags  f/a, 

get-tags(f, /)  =  {t),  for  pair. 

A  well-tagged  fact  represents  a  taggedfact  which  is 
correctly  tagged  and  has  every  subtaggedfact  in  it,  cor¬ 
rectly  tagged.  In  contrast,  a  fact  is  characterized  as 
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top-level-well-tagged  when  a  fact  is  correctly  tagged  at  the 
outer-most  level.  This  means,  for  example,  a  taggedfact  is 
indeed  a  pair  of  tagged  facts  when  it’s  tag  equals  pair,  even 
if  the  two  tagged  facts  may  not  be  well-tagged. 


top-level-well-tagged(agent,  x) 
top-level-well-tagged(  nonce,  x) 
top-level-well-tagged(wenc,  x) 


x  €  Agent, 
x  G  Nonce, 
^  X  G  Wenc, 


top-level-well-tagged(pair,  cc)  3  tfl, 
tf2  :  TaggedFact .  x  =  PAIR  tfi  tf2. 


are  defined  which  specify  the  message  structure  of  honest 
agents  under  ideal  conditions.  These  contain  variables  that 
would  be  instantiated  to  output  honest  strands. 

Each  taggedfact  in  an  honest  strand  corresponds  to  an 
instantiation  of  a  “tagged  template”  in  a  strand  template. 
Tagged  templates  are  defined  by  the  following  grammar: 


TaggedTemplate  ::=  Tag  x  Template 

Template  ::= 

Var  I  APPLY  Var*  \ 

PAIR  TaggedTemplate  TaggedTemplate  \ 
ENCRYPT  Tag  TaggedTemplate  TaggedTemplate 


top-level-well-tagged({|fs|}fct,  x)  3  f/  :  TaggedFact; 
k  :  Fact  .  x  =  A  ts  =  get-tags  tf. 

3.2  The  framework 

In  the  previous  section,  the  structure  of  messages  in  a 
protocol  and  their  properties  were  introduced.  In  this  sec¬ 
tion,  we  introduce  the  framework  on  which  messages  are 
used  to  build  protocol  runs. 

The  framework  is  derived  from  the  strand  space  model 
of  [?].  A  strand  is  a  sequence  of  communications  repre¬ 
sented  as  <  zttfi,zttf2,  ■  ■  ■ ,  Ftfn  >•  +tf  indicates  send¬ 
ing  tf  and  —tf  indicates  receiving  tf.  Each  send  or  receive 
event  is  a  node.  A  transition  from  consecutive  nodes  ni  and 
ni+i  on  the  same  strand  is  represented  as  rii+i.  A 

transmission  of  a  tagged  fact  from  on  one  strand,  fol¬ 
lowed  by  a  reception  in  nj  on  another  strand  is  represented 
as  ni  nj. 

A  bundle  represents  a  partial  or  complete  protocol  run. 

It  is  an  acyclic  digraph  using  edges  — >  and  such  that, 
whenever  a  tagged  fact  is  received,  the  bundle  also  includes 
a  transmission  of  the  tagged  fact.  Eurther,  a  bundle  holds 
the  history  of  the  network  from  the  starting  of  the  commu¬ 
nication. 

A  node  is  said  to  be  an  entry  point  to  a  set  of  tagged 
facts  if  no  previous  node  has  uttered  an  element  of  that  set. 
A  taggedfact  is  said  to  be  originating  on  a  node  if  the  node 
is  an  entry  point  for  the  set  to  which  the  taggedfact  belongs. 
A  taggedfact  is  said  to  be  uniquely  originating  if  there  is  no 
other  node  in  the  bundle  that  utters  an  element  of  the  set  to 
which  the  tagged  fact  belongs. 

3.3  Honest  strands 

Honest  strands  represent  execution  traces  of  honest 
agents.  Since  roles  of  honest  agents  is  dictated  by  the  proto¬ 
col  (in  terms  of  sending  and  receiving  messages),  it  makes 
sense  to  have  some  set  of  “templates”  that  dictate  the  actions 
of  those  roles  in  the  protocol.  Therefore  strand  templates 


Here  V ar  represents  atomic  variables,  which  upon  in¬ 
stantiation  output  atomic  facts.  APPLY  Var*  means 
that  a  function  identifier  Fn  is  being  applied  to  a  collec¬ 
tion  of  atomic  variables.  This  is  application  is  the  basis 
to  generate  keys,  hashes  of  messages  etc.  Eor  example,  in 
PublicKey{A),  Fn  =  PublicKey.  Note  that  this  speci¬ 
fication  allows  to  model  constructed  keys,  not  just  atomic 
keys,  which  is  important  for  ‘real-world’  protocols  such  as 
SSL  3.0.  (Atomic  keys  refer  to  the  keys  possessed  by 
partipants  which  are  handled  by  exhaustive  substitution  of 
agents’  identities.  Constructed  keys  are  keys  produced  from 
just  about  any  random  bitstring  formed  using  different  mes¬ 
sage  elements). 

The  next  step  is  to  consider  how  tagged  templates  are 
instantiated  to  form  taggedfacts.  This  is  accomplished  by 
defining  an  instantiation  function  sub  to  substitute  facts  for 
variables: 


sub  :  V ar  ^  Fact 

The  properties  of  this  function  are  defined  below  in  order 
to  instantiate  all  possible  tagged  templates: 


subft,  v) 
sub{t,  g{vl, . . . ,  vn)) 


sub{pa\r,  {tti,tt2)) 

sub{{\ts\}tk,  {tt}k) 


{t,sub{v))  forv  G  Var, 

{t,  g{sub{vl), . . . ,  sub{vn))), 
where  g  G  Fn,  andFn  is  the 
set  of  function  identifiers, 
(pair,  {subftti) ,  sub{tt2))) , 
{^'^b{tt)^ snh{tk.k)2^ 
where  k  =  g{vl, . . . ,  vn) 
and  g  G  Fn  represents  a  key 
type  using  a  particular  keying 
algorithm. 
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Eor  the  third  and  fourth  clauses  above,  there  is  a  little 
change  from  the  same  expressions  given  in  [HLSOO].  (They 


use  tfi ,  i/2  and  tf  in  place  of  tti ,  tt2  and  tt.  However, 
since  sub  is  an  instantiation  of  variables  and  not  facts,  we 
feel  it  is  proper  to  apply  it  on  templates  instead  of  facts.  This 
change  however,  wouldn’t  affect  their  results  in  any  way). 

There  are  two  assumptions  on  strand  templates  and  in¬ 
stantiating  templates: 

1 .  For  every  strand  template,  there  is  some  ideal  tag  envi¬ 
ronment  p  defined  as: 

p  :  {Var  — >  Tag)  U  {Fn  Tag*  x  Tag) 

The  idea  is  that  p  returns  the  tags  for  each  variable  in 
a  template.  This  is  to  ensure  that  the  same  tags  are 
always  given  to  the  same  variables  in  a  template.  (For 
the  exact  properties  of  p,  please  refer  [HLSOO].) 

2.  If  a  taggedfact  tf  originates  on  a  honest  strand,  then 
top-level- well-tagged  {tf). 

This  means,  it  is  assumed  that  honest  agents  always  tag 
messages  correctly.  However,  since  it  is  impossible  to 
distinguish  between  random  bitstrings,  it  is  probably 
more  appropriate  to  say,  whenever  a  bitstring  is  sub¬ 
stituted  for  a  variable  next  to  a  tag  in  a  template,  then 
the  bitstring  is  automatically  added  to  the  set  corre¬ 
sponding  to  that  tag.  (For  example  instantiating  Na  in 
(nonce,  na)  would  result  in  Na  being  added  to  the  set 
Nonce.)  The  bitstring  is  treated  to  be  of  that  type  from 
then  onwards. 

3.4  Penetrator  strands 

The  penetrator  is  considered  to  have  standard  Dolev-Yao 
attacker  capabilities  [DY83].  i.e.  She  can  overhear  mes¬ 
sages  on  a  network,  construct  messages,  split  them,  send 
her  own  messages  and  so  on.  She  is  also  assumed  to  pos¬ 
sess  some  set  Kp  of  keys  and  prodcue  some  texts  T  of  her 
choice.  These  capabilities  are  listed  in  the  following  defini¬ 
tion. 

Definition  2.  A  penetrator  strand  is  one  of  the  following: 


M 

Text  message 

{+{t,  x))  with  well-tagged(f,  x) 

and  X  €  T. 

F 

flushing 

i-tf)- 

T 

Tee 

{-tf,+tf,+tf). 

C 

Concatenation 

{-tf, -tf,  +(pair,  {tf,  tf))). 

S 

Separation 

(-(pair,  {tf,  tf)),-\-tf,-\-tf). 

K 

Key 

{+{tk,  k))  with  well-tagged(fA:,  k) 
and  k  G  Kp. 

E 

Encryption 

{-{tk,  k),-tf,  +{{\ts\}tk,{tf}f), 
where  ts  =  get-tags(f/). 

D 

Decryption 

{-{tk',k'),-{{\t\u,{tf}f),+tf}. 

where  tk  and  tk'  are  tags  representing  inverse  key  types, 
and  k'  is  the  corresponding  decrypting  key  of  k  with  both 
being  of  the  type  tk  and  tk'  respectively. 

R  Retagging  {-{t,  f),+{t' ,  f)). 

The  retagging  strand  captures  the  concept  of  receiving 
a  message  of  one  type  and  sending  it,  with  a  claim  of  a 
different  type.  In  Section  4  we  will  later  add  some  more 
strands  to  the  above  capabilities  to  model  off-line  guessing 
attacks. 

Note  that,  we  treat  weak  encryptions  as  an  “abstract 
type”,  i.e.  we  do  not  allow  the  attacker  to  perform  any  oper¬ 
ations  on  it  during  the  on-line  communication.  We  also  as¬ 
sume  that  guessing  the  password  and  deducing  the  contents 
inside  the  encryption  is  done  entirely  off-line.  Lastly,  we 
consider  only  those  attacks  in  which  the  attacker  is  able  to 
learn  a  password  shared  by  honest  agents  by  attempting  an 
off-line  guessing  attack.  In  other  words,  we  do  not  consider 
attacks  wherein  a  password  is  learnt  by  breaching  secrecy. 

3.5  Transforming  arbitrarily  tagged  bundles  to 
well-tagged  bundles 

An  arbitrarily  tagged  bundle  represents  a  bundle  with  or 
without  type-flaws.  Since  a  tag  in  a  taggedfact  indicates  the 
type  of  it’s  fact,  a  correctly  tagged  fact  indicates  that  the  fact 
is  indeed  the  type  indicated  by  it’s  tag.  Generally  speaking, 
a  well-tagged  bundle  represents  that  all  it’s  tagged  facts  are 
correctly  tagged.  This  in  turn  means  that  there  are  no  type- 
flaws  in  a  well-tagged  bundle.  The  main  result  in  [HLSOO] 
states  that  any  bundle  that  uses  the  tagging  scheme  can  be 
changed  into  an  equivalent  well-tagged  bundle. 

To  prove  this  hypothesis.  Heather  et  al.  define  a  renam¬ 
ing  function  that  changes  any  arbitrarily  tagged  bundle  to  a 
well-tagged  bundle.  The  main  idea  behind  such  a  transfor¬ 
mation  being  possible  is  that,  if  an  honest  agent  is  willing 
to  accept  an  ill-tagged  fact  (f,  /),  then  it  should  accept  any 
value  in  place  of  /.  Naturally,  this  includes  the  fact  f  such 
that  well-tagged(f,  f').^ 

Below  is  the  definition  and  properties  of  the  renaming 
transformation: 

Definition  3. 

(f) :  TaggedFact  TaggedFact 
is  a  renaming  function  having  the  following  properties: 

1.  (/)  preserves  top-level  tags: 

(t>{i,f)  =  {t',f)  ^t  =  f] 

2.  (j)  returns  well-tagged  terms:  well-tagged((/)(f/)); 

^There  seems  to  be  a  typo  in  [HLSOO]  in  stating  the  same. 
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3.  (j)  is  the  identity  function  over  well-tagged  terms: 

well-tagged(f/)  ^  =  tf; 

4.  (j)  distributes  through  concatenations  that  are  top-level- 
well-tagged: 

5.  (j)  distributes  through  encryptions  that  are  top-level- 
well-tagged: 


if  ts  =  get-tags(f/); 

6.  (j)  respects  inverses  of  keys:  if  {tk,k)  and  {tk',k') 
are  inverses  of  each  other,  then  so  are  (f){tk,  k)  and 
(j){tk' ,  k'),  tk  and  tk'  being  their  types; 

7.  When  (j)  is  applied  to  a  top-level-ill-tagged  fact  {t,  /) 
of  C,  such  that  (j){t,  f)  =  {t,  /'),  then  f  G  T; 

8.  When  (p  is  applied  to  a  top-level-ill-tagged  fact  tf  of 
C,  it  produces  a  fact  that  has  an  essentially  new  value, 

i.e.,  a  fact  that  has  no  sub-untagged-fact  in  common 
with  (j){tf')2  for  any  other  fact  tf  of  C: 

ytf  G  facts{C)  .  ^top-level-well-tagged(f/)  A  /  C 
^  Vf/'  G  facts{C)  .  tf  If  tf  ^  f  if  (p(tf). 

where  facts{C)  represents  all  the  facts  and  sub- 
untagged-facts  of  nodes  in  C. 

This  establishes  an  injectivity  property  for  f  over  facts 
of  C. 

Merely  defining  such  a  renaming  transformation  neither 
proves  that  all  possible  taggedfacts  in  C  are  covered  by  f 
nor  proves  that  the  (j){C)  is  a  bundle  by  definition.  Since 
our  modification  only  defines  a  new  subset  of  the  atoms,  the 
proofs  presented  in  Heather  et  al.  [HLSOO]  still  hold  and  are 
summarized  below: 

1 .  Given  a  bundle  C,  there  is  some  renaming  function  f 
for  C.  (Refer  [HLSOO,  Lemma  3]). 

2.  If  temp  is  a  template  for  an  honest  agent  and 
subftemp)  is  an  instantiation  of  the  template,  then 
(l){sub{temp))  corresponds  to  an  instantiation  of  the 
same  template  using  some  other  function  sub' .  i.e. 

4>{sub{temp))  =  sub' (temp) 

This  means  if  suhftemp)  is  an  honest  strand,  then 
sub'  (temp)  is  also  an  honest  strand.  (Refer  [HLSOO, 
Lemma  4]). 


3.  The  penetrator  is  “equally  capable”  in  C  and  4>{C).  In 
other  words,  if  2f  is  a  penetrator  strand  in  C,  then  X  is 
also  a  penetrator  strand  in  (j>{C)  with  every  tagged  tf 
in  X  replaced  by  fitf).  (Refer  [HLSOO,  Section  3.3].) 

4.  Protocol  security  is  entirely  based  on  values  that  orig¬ 
inate  uniquely,  such  as  nonces  and  short  term  keys. 
Therefore,  it  is  important  to  ensure  that  the  trans¬ 
formed  bundle  doesn’t  contain  nodes  that  “duplicate” 
such  values.  To  this  end,  a  bundle  C  is  produced  from 
4>{C)  such  that,  facts  in  C  are  uniquely  originating  if 
they  were  uniquely  originating  in  C.  (Refer  [HLSOO, 
section  3.4].) 

3.6  Main  Result 

The  main  result  of  Heather  et  al.  ( [HLSOO,  Theorem  1]) 
follows  from  the  concepts  explained  in  the  previous  section: 

Theorem  1.  If  C  is  a  bundle  (under  the  tagging  scheme) 
then  there  is  a  renaming  function  (p  and  a  bundle  C  ,  such 
that: 

•  C  contains  the  tagged  facts  of  C  (considered  as  a  set), 
renamed  by  f 

•  C  contains  the  same  honest  strands  as  C,  modulo  the 
above  renaming; 

•  facts  are  uniquely  originating  in  C  if  they  were 
uniquely  originating  in  C; 

•  all  tagged  facts  in  C  are  well-tagged. 

4  Proof  part  2  :  Guessing  attacks 

In  this  section  we  will  introduce  our  notion  of  an  attacker 
engaging  in  off-line  guessing  and  verification.  We  assume 
a  set  G  of  guesses  that  an  attacker  possesses.  We  add  some 
more  penetrator  strands  to  the  capabilities  in  definition  2  to 
capture  capabilities  in  the  off-line  phase: 

Dg  DecryptionuisingJJuess  (— (wenc,  /),  —g,  +f) 

with  g  GG,f  G  Wenc .  /  =  {/'}„ 

AwG  Weakkeys  .w  =  g. 

Eg  Encryption_using_Guess  {—f,—g,+{f}g) 

with  g  G  G,  f  G  Subwenc. 

Cf  Concatenating  facts  (— /,  — /^  +(/,  f))- 

Sf  Separating  facts  (-(/,  /'),+/,  +/')• 

Tg  Tagging  {-t,  -f,  +{t,  /)). 

Utg  Untagging  {-{t,f),+f). 

We  prove  that  basically  the  same  strands  can  be  con¬ 
structed  from  G  .  Let  X  he  a  penetrator  strand  from  C 
and  X',  the  corresponding  strand  from  C  .  If  is  a  Dg 
strand,  define 
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X'  =  (— (/)(wenc,  /),  — g,  +/'),  which  is  a  valid  Dq 
strand. 

If  X  is  a  Eg  strand,  define 

X'  =  f),-g,  f)2}g),  which  is  a  valid  Eq 

strand. 

If  X  is  a  Cf  strand,  define 

X'  =  /)2,  f')2,  /)2,  f')2)), 

which  is  a  valid  Cf  strand. 

If  X  is  a  Sf  strand,  define 

X'  =  /)2,  Ht,  r)2),+Ht,  f)2,  ), 

which  is  a  valid  Sf  strand. 

If  X  is  a  Tg  strand,  define 

=  {-t, -Ht,  f)2,  /))■ 

Now  /)  =  (f,  /')  for  some  /'  such  that 

well-tagged(f,  /').  Therefore,  we  can  rewrite  the  above  ex¬ 
pression  as 

X'  =  {-t,  +{t,  /')),  which  is  a  valid  Tg  strand. 

If  X  is  a  Utg  strand,  define 

X'  =  (-0(f,/),+</<(f,/)2). 

again,  since  (j>{t,  f)2  =  {t,  f)  for  some  /'  such  that 
well-tagged(f,  /'),  this  can  be  rewritten  as 

X'  =  (— (f,  f ),+/'),  which  is  a  valid  Utg  strand. 

4.1  Defining  guessing  attacks 

Before  giving  a  formal  definition  for  guessing  attacks, 
we  define  a  relation  deducible  such  that,  tf  is  deducible 
from  a  bundle  C,  if  there  is  a  valid  sequence  of  penetrator 
strands  that  yield  tf  from  C. 

Firstly,  we  introduce  a  simple  inference  relation  h.  If  S' 
a  set  of  tagged  facts,  we  write  S  \-x  tf  if  the  strand  X  can 
be  constructed  such  that,  for  every  tf  on  a  node  in  X, 
tf  G  S  and  tf  is  a  tagged  fact  on  any  ‘+’  node  of  X. 

Definition  4.  Let  C  be  a  bundle.  Then,  tfn  is  deducible 
from  C,  or: 

C  \=tr  tfn,  where  tr  =  <  SI  hxi 

f/l,S2  \-x2  tf2, . . . ,  Sn  \-xn  tfn  >,  and  for  i  = 
1 . .  .n,Si+l  C  Taggedfacts{C)U{tfl, . . .  ,tfi},  where 
Taggedfacts{C)  is  the  set  of  taggedfacts  on  all  the  nodes 
in  C. 


We  will  tend  to  drop  the  subscript  tr  when  it  is  obvious. 

Lemma  1.  Let  C  and  C  be  two  bundles  defined  as  in  sec¬ 
tion  3.  Then, 

C*  U  {g}  \=trl  tf  ^  C  U  {g}  '^tr2  fitf). 

Proof.  In  order  to  prove  the  above  proposition,  we  need  to 
show  that,  for  every  possible  inference  S  hx  tf  in  trl, 
there  is  an  equivalent  4){S)  hx  4>{tf)  in  tr2.  This  inturn 
implies  we  need  to  show  that  for  every  possible  strand  in  X 
from  C,  there  is  an  equivalent  strand  in  C  . 

It  is  proven  in  [HLSOO,  section  3.3]  that  for  each  of  the 
penetrator  strands  in  C,  equivalent  penetrator  strands  in  C 
can  be  constructed.  In  section  4  we  proved  that,  for  every 
penetrator  strand  used  on  C  in  the  off-line  phase,  an  equiv¬ 
alent  penetrator  strand  can  be  constructed  from  C  . 

Hence,  the  result. 

□ 

Lemma  2.  Let  C  and  C  be  two  bundles  defined  as  in  sec¬ 
tion  3.  Then, 

c^tf^c”  ^m)- 

Proof.  We  proceed  as  in  the  previous  lemma.  For  every 
possible  strand  from  C,  there  will  be  an  equivalent  strand 
possible  from  C  .  Observe  from  Heather  et  al.’s  results  that, 
every  tagged  fact  tf  in  C  has  an  equivalent  (f>{tf)  in  C 
which  is  well-tagged. 

There  are  two  cases  when  it  may  be  possible  to  construct 
a  penetrator  strand  from  C  but  from  C : 

1.  There  is  a  tagged  fact  tf  such  that  tf  G 
Taggedfacts{C  ),butf/  ^  C; 

2.  When  a  key  k  cannot  be  used  in  a  D  strand  in  C  but 
(j){k)  can  be  used  in  an  equivalent  strand  from  C  . 

However, 

1.  From  [HLSOO,  Theorem  1],  unique  origination  is  pre¬ 
served  in  C  obtained  from  C; 

2.  By  condition  6  of  definition  3,  f  respects  inverses. 
Therefore,  it  is  not  possible  to  construct  a  D  strand 
from  C  which  was  not  possible  from  C. 

□ 

Using  the  above  formalism,  we  give  a  simple  definition 
for  a  guessing  attack.  We  say  that  a  guessing  attack  is  pos¬ 
sible  on  a  bundle  C,  if  a  guess  g  G  G  k  verifiable  in  C. 

In  short,  we  try  to  see  if  the  attacker  can  derive  a  tagged- 
fact  in  atmost  one  way  before  guessing,  but  in  more  than 
one  way  after  guessing.  To  find  if  there  are  two  differ¬ 
ent  ways  to  derive  a  taggedfact,  we  ‘mask’  the  first  oc¬ 
curence  with  some  random  value  and  then  look  for  another 
occurence  of  it. 
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Definition  5.  Let  C  and  g  be  as  defined  above.  Let  sub 
be  an  instantiation  function  for  a  template  temp  such  that 
sub{temp)  G  C  and  tt  be  a  tagged  template  in  temp',  Also 
let  tf  =  sub{tt).  Then, 

g  is  verifiable  from  C  and  tf  is  a  verifier  for  g  iff; 

1.  C\J{g}'^tf  A  C  U  {g}  ^  f/;  and 

2.  C  ^  f/  V  C  ^  tj. 

where  tf  is  a  fresh  constant  and  C  is  obtained  by  replac¬ 
ing  the  particular  occurrence  of  tf  in  C,  with  tf. 

4.2  The  main  result 

Our  main  aim  is  to  show  that,  whenever  there  is  a  guess¬ 
ing  attack  on  C,  there  is  also  a  guessing  attack  on  C  .  If 
there  is  a  guessing  attack  on  C,  by  definition,  a  guess  g  G  G 
is  verifiable  in  C  with  a  verifier  subftt).  Therefore,  we 
frame  our  main  theorem  as. 

Theorem  2.  Whenever  g  G  G  is  verifiable  from  C,  g  is  also 
verifiable  from  G  . 

Proof.  Let  sub'  be  defined  as  in  section  3.3: 

sub'  {tf)  =  (j){sub{tf)) 

Let  G  be  denoted  as  C  and  (j){tf)  as  tf .  Now  if  g  is 
verifiable  in  C,  by  definition  5, 

1.  C  U  {g}  '^tf  A  C  U  {g}  |=  tf'',  and 

2.  C^tfVC^  tf. 

From  Lemma  4.2,  C  U  {g}  \=  tf  C  U  {g}  ^  4>{tf)- 
Further,  from  Lemma  4.3,  G  ^  tf  =>  C  ^  4>{tf)-  There¬ 
fore,  (1)  and  (2)  above  can  be  rewritten  as, 

1'.  CU{g}\=tf  A  C  U  {g}  |=  tf'-,  and 

2'.  C  ^  tf  WC'f  tf. 

Further,  (j){tf)  =  fsubft))  =  sub'{tt). 

Therefore,  g  is  verifiable  in  C  with  a  verifier  sub'{tf). 

□ 

5  Conclusion 

In  this  paper  we  have  considered  type-flaw  guessing  at¬ 
tacks  on  password  protocols.  We  modified  Heather  et  al.’s 
existing  solution  to  prevent  type-flaw  attacks  and  proved 
that  such  modification  prevents  type-flaw  guessing  attacks 
on  password  protocols.  Our  proof  strategy  was  built  on 
Heather  et  al’s  proof  structure  with  a  minor  change:  We 
considered  all  weak  encryptions  as  atoms.  This  was  pos¬ 
sible  since  we  disallowed  any  attacker  operations  on  such 
terms. 

Our  proof  proceeded  in  two  stages: 


1.  The  on-line  communication;  here  we  proved  that  ba¬ 
sically  the  same  protocol  run  is  obtained  when  all 
messages  are  correctly  tagged,  if  it  was  obtained  by 
adopting  our  tagging  scheme.  Most  of  this  result  was 
already  established  by  Heather  et  al.  A  renaming 
function  is  applied  on  an  arbitrarily  tagged  bundle  so 
that  the  resulting  bundle  has  every  message  correctly 
tagged.  Such  a  renaming  is  realistic  because,  if  an  hon¬ 
est  agent  is  willing  to  accept  an  ill-tagged  message,  it 
should  accept  any  value  in  it’s  place; 

2.  We  showed  that  a  guessing  attack  is  possible  on  the 
correctly  tagged  bundle,  if  it  was  possible  on  the  orig¬ 
inal  bundle.  This  indirectly  proves  that  the  attack  was 
not  based  on  a  type-flaw  but  on  some  other  mechanism. 

The  implementation  of  the  tagging  scheme  using  bit 
strings  can  be  referred  from  [HLSOO]. 

In  the  following  section  we  will  discuss  some  interesting 
issues  together  with  directions  towards  future  work. 

5,1  Discussion  and  Future  work 

Observe  that  our  proof  (or  for  that  matter  Heather  et  al.’s 
proof)  is  highly  dependent  on  the  way  a  type-flaw  is  defined, 
i.e.  for  example,  if  we  define  that  sending  an  atom  of  one 
type,  claiming  it  as  an  atom  of  another  type  is  not  a  type- 
flaw,  then  the  tag  structure  would  appear  as  follows: 

Tag  atom|  pair  |  enc  Tag*  Tag 

Such  a  tagging  would  allow  for  example,  sending  a  key, 
claiming  it  as  an  agent’s  identity  but  prevents  sending  an 
atom  as  a  pair  or  as  a  (strong)  encryption. 

Similarly,  we  identified  all  weak  encryptions,  regard¬ 
less  of  their  structure,  as  belonging  to  a  unique  type,  wenc. 
Therefore,  it  would  allow  weak  encryptions  having  different 
structures  to  be  replayed  in  place  of  one  another.  For  exam¬ 
ple,  a  message  {na,  k,  nb}passwd{a)  can  be  replayed,  claim¬ 
ing  it  to  be  structurally  identical  to  {k,na,ts}passwd{a) 
(na,  nb  are  nonces.  A:  is  a  key  and  ts  is  a  timestamp).  Such 
type-flaws  may  be  used  in  attacks  but  can  neither  be  pre¬ 
vented  by  our  tagging  scheme  nor  our  proof  establishes  that 
they  cannot  be  used  in  attacks. 

However,  in  practice,  many  times  such  replays  can  be 
avoided.  For  example,  consider  the  following  messages  in 
Gong  et  al.’s  popular,  “Demonstration  protocol’’  [?]: 

Msg  1.  a^  s  :  {a,b,  nal,  na2,  ca,  {ta}passwd(a)}pk(s) 

Msg  4.  s  ^  a  :  {nal,  na2  0  k}passwd{a) 

Here  ca  is  a  redundant  random  number.  pk{s)  is  the 
public-key  of  s.  Under  some  assumptions  about  message 
structures,  a  type-flaw  guessing  attack  is  possible  on  this 
protocol.  An  attacker  can  use  Msg  4  in  a  legitimate  run  be¬ 
tween  a  and  s  as  follows: 


Msg  1. /(a)  ^  s  :  {a,b,nll,nl2,  ca, 

{tT-O-I,  77-0-2  0  k\pass'wd{a)\pk{s) 

Msg  4.  I{a)  :  {nil,  nI2  ©  k'}passwd{a) 

I (a)  denotes  attacker  /  pretending  as  a.  The  attacker 
creates  his  own  nonces  nil  and  nI2  together  with  Msg  4 
of  the  previous  run  to  construct  Msg  1  and  sends  it  to  s. 
After  he  gets  back  Msg  4  from  s  as  a  response,  he  decrypts 
it  with  a  guess  and  matches  the  first  part  (nl  1)  with  his  nl  1 
to  verify  the  guess. 

The  other  messages  of  the  protocol  are  irrelevant  in  this 
attack. 

Now  this  attack  can  be  prevented  if  there  is  a  tag  for  the 
time  stamp  ts  in  Msg  1.  This  type  tag  would  not  directly 
verify  a  guess  because  it  is  protected  by  another  layer  of 
encryption  under  a  strong  key  (pk{s)). 

Some  replays  cannot  be  avoided.  For  example, 
{f}passwd{a)  can  be  replayed  in  {f}passwd{a)  provided 
/  and  /'  can  be  “unified”.  However,  in  most  cases,  the 
possibility  of  such  unification  itself  means  that  a  guess¬ 
ing  attack  is  possible:  since  unification  implies  that  con¬ 
stants  in  /  and  /'  should  match,  whenever  /  and  f 
are  textually  distinct  (except  for  the  positions  of  the  con¬ 
stants),  the  constants  would  themselves  verify  a  guess. 
For  example,  {na,  K,  NB}passwd(a)  can  be  unified  with 
{770,  r,s,  Ar}passiud(o)  (na  is  constant,  K,NB  are  vari¬ 
ables).  However,  na  can  be  obtained  from  both  messages 
in  two  different  ways,  by  using  a  guess;  this  verifies  the 
guess  even  before  unification! 

Observe  that  in  the  tagging  scheme,  tags  not  protected 
by  encryption  can  be  safely  removed  while  acheiving  the 
same  results.  Further,  the  tags  inside  encryptions  can  be 
combined  into  a  single  component  number.  As  Heather  et 
al.  argue,  this  simplication  is  fault-preserving  in  the  sense  of 
Hui  and  Lowe  [HLOl]:  That  means,  if  there  is  an  attack  on 
the  component  numbering  scheme,  there  was  also  an  attack 
on  the  original  tagging  scheme. 

Such  component  numbering  ensures  that  encrypted  com¬ 
ponents  can  not  be  replayed  in  place  of  one  another.  Above 
we  argued  (although  yet  to  prove  formally),  that  weak 
encryptions  should  as  well  be  non-replayable  (i.e.  non- 
unifiable).  Therefore,  a  protocol  following  this  numbering 
suggestion,  along  with  the  component  numbering  scheme, 
ensures  that  no  replays  of  encrypted  components  are  pos¬ 
sible.  Such  a  result  in  protocol  analysis  has  already  been 
shown  in  numerous  occasions  as  holding  the  key  to  proto¬ 
col  security  [AN94,  ?].  Fairly  recently,  it  was  also  shown 
to  ensure  decidability  for  security  protocols  in  the  context 
of  secrecy  [?].  (Secrecy  is  a  security  property  that  specifies 
that  an  attacker  should  not  be  able  to  learn  a  secret  value 
from  a  protocol  run.) 

We  also  believe  that  the  result  regarding  component 
numbering  makes  it  easy  to  prove  that  “protocol  number¬ 


ing”  inside  encrypted  components  would  prevent  multi¬ 
protocol  guessing  attacks  [MAFM02,  ?]  if  we  can  find  a 
way  to  enforce  the  numbering.  (A  multi-protocol  guessing 
attack  works  by  replaying  encrypted  components  from  one 
protocol  into  a  different  protocol.) 

Observe  that  we  assume  sufficient  redundancy  inside 
strong  encryptions  that  allows  honest  agents  to  know  if  they 
decrypted  them  correctly.  However,  we  did  not  allow  such  a 
redundancy  in  weak  encryptions  because  that  may  verify  a 
guess  directly  [Gon90].  In  contrast,  Lowe  states  that  redun- 
dacy  inside  any  encryptions  (including  strong)  would  aid  in 
guessing  attacks  [Low02].  However,  without  the  redundan¬ 
cies  it  is  hard  to  see  how  honest  agents  can  run  protocols, 
satisfactorily. 

Secrecy  and  guessing  attacks  seem  to  be  quite  more  in¬ 
tegrally  related  than  what  meets  the  eye.  Halevi  et  al.  have 
shown  that  security  against  guessing  attacks  can  be  reduced 
to  the  initial  problem  of  establishing  a  secret  between  two 
unfamiliar  parties  [?].  (A  corollary  is  that  public  key  en¬ 
cryption  is  unavoidable  to  solve  both  the  problems.)  Thus, 
it  is  not  entirely  surprising  that  the  same  problems  and  solu¬ 
tions  encountered  in  studying  secrecy  attacks  on  protocols 
also  apply  for  guessing  attacks. 

Observe  that  learning  a  password  through  a  guessing  at¬ 
tack  can  result  in  breaches  of  secrecy  not  known  to  exist 
when  analysing  protocols  for  secrecy.  For  example,  a  suc¬ 
cessful  guessing  attack  is  possible  on  {77a,  nb}passwd{a) 
na,  but  attacker  also  learns  an  otherwise  secret  nb. 

Also  observe  that,  like  secrecy  and  authentication,  guess¬ 
ing  attacks  should  also  be  stuided  as  a  trace  property  (A 
trace  property  is  a  security  property  that  can  be  verified  by 
examining  all  possible  traces  or  protocol  runs  within  a  sce¬ 
nario).  Therefore,  it  would  be  interesting  to  see  if  the  same 
results  regarding  decidability  that  were  published  for  se¬ 
crecy  and  authentication  apply  for  guessing  attacks  as  well 
(eg.  [MSOl,  ?]). 

The  ideal  tag  environment  p  defined  in  section  3  assumes 
more  importance  than  it  may  seem.  A  necessary  condition 
for  successful  use  of  the  tagging  scheme  is  that  all  honest 
agents  follow  the  same  implementation.  For  example,  agent 
a  cannot  run  a  protocol  using  value  001  for  the  tag  nonce 
with  b,  who  uses  another  value,  say  101  for  the  same  tag. 
This  is  also  true  when  a  itself  is  involved  in  different  runs 
of  the  same  protocol  or  if  it  is  simultaneously  engaging  in 
runs  from  different  protocols  (eg.  SSL  3.0  and  SET  con¬ 
currently).  However,  Heather  et  al.’s  formal  definition  of  p 
only  specifies  that  each  of  the  honest  roles  need  to  have  tag 
values  that  are  consistent  within  the  same  template;  they  do 
not  specify  that  all  honest  agents  follow  the  same  tag  values, 
which  we  believe  is  inadequate.  Of  course,  it  is  also  hard 
to  have  such  “universally-agreed  upon”  tag  values  without 
having  some  sort  of  “international  standards”  for  tagging 
schemes.  And,  there  is  no  guarantee  that  malicious  code 
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will  use  the  wrong  tag  values  to  deliberately  tailor  a  proto¬ 
col  to  use  for  attacks  [?,  AF98] 

In  this  paper  we  have  considered  the  definition  for  guess¬ 
ing  attacks  given  in  [?]  which  only  considers  verifiers  that 
are  subterms  of  the  attacker’s  initial  knowledge.  This  defi¬ 
nition  is  specifically  tailored  to  the  standard  inference  rules. 
In  contrast,  Lowe’s  definition  in  [?]  is  stronger  in  this  sense, 
because  it  can  be  used  for  any  attacker  inference  set.  (For 
example  the  rule  {m,  n}k  F  {m}k  is  not  in  the  standard  in¬ 
ference  set,  but  holds  when  using  Cipher  Block  Chaining.) 
It  would  be  interesting  to  see  how  this  affects  the  results  in 
this  paper. 

However,  regardless  of  how  such  inference  rules  affect 
the  results,  they  can  be  used  in  attacking  Heather  et  al.’s 
original  scheme  as  well  (See  Appendix  for  an  attack  on  the 
Woo  and  Lam  authentication  protocol  ttI). 

There  are  two  other  unsolved  issues  in  Heather  et  al.’s 
scheme: 

1 .  They  do  not  consider  all  possible  forms  of  constructed 
keys  (but  only  those  that  result  from  application  of  a 
key  function  Fn  to  concatenation  of  sequence  of  atoms 
(/l,...,/n)); 

2.  They  do  not  consider  cancellativity  and  other  algebraic 
properties  obeyed  by  message  elements  when  using 
operations  such  as  products  and  XOR.  (these  operations 
are  frequently  used  in  real-world  protocols). 

Lastly,  we  did  not  consider  implementation  dependent 
guessing  attacks  in  this  paper.  For  example,  the  password 
can  be  learned  from  {english-text}passwd(a)  by  decrypt¬ 
ing  it  with  a  guess  (even  though  englishJext  is  not  known 
initially). 

We  look  forward  to  the  future  with  all  the  issues  pointed 
out  in  this  section,  which  will  keep  us  busy. 
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Appendix  1 :  Attack  on  Heather  et  al.’s  scheme 

Consider  the  Woo  and  Lam  authentication  protocol, 

ttI  [WL94]: 

Msg  \.  a  ^  h  ■.  a 

Msg  2.  b  ^  a  :  nb 

Msg  3.a^b:  {a,  b,  nb}sh(as) 

Msg  4.  b  >  s  .  {(J,  b,  {u,  b, 

Msg  5.  s  ^b:  {a,  b,  nb}shibs) 

sh{xy)  represents  a  shared-key  between  agents  x  and  y. 

Heather  et  al.  present  a  type-flaw  attack  on  this  protocol: 
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Msg  3.  a  ^  b  :  nb 
Msg  4.b^  Is',  {o,  b, 

Msg  5.  Is  ^  b:  {a,b,nb}sh(bs) 

The  attack  works  by  (i)  using  a  type-flaw  in  message  3 
{nb  in  place  of  {a,  b,  nb}sh(as)}  (ii)  replay  of  message 
4  in  message  5.  Heather  et  al.  argue  that  inserting  unique 
component  numbers  inside  encryptions  prevents  this  attack. 
In  their  scheme,  the  same  protocol  would  be  implemented 
as: 


Msg  1.  a 
Msg  2.  b 
Msg  3.  a 
Msg  4.  b 
Msg  5.  s 


b  :  a 
a  :  nb 

b  .  -[ci,  6,  nb^  l}sti(as) 

S  .  nb^  l}s/i(as)5  ‘^\sh{bs) 

b  :  {a,b,nb,3}sh{bs) 


However,  Heather  et  al’s  results  are  valid  only  when  as¬ 
suming  the  standard  inference  rules.  To  see  why,  consider 
the  inference  rule  {m,  n}k  k  {m}k  which  would  hold  when 
using  Cipher  Block  Chaining  for  encryption. 


Msg  1.  a  — >  6  :  a 

Msg  2.  b  ^  a  :  nb 

Msg  3.  /(a)  — >  6  :  {nb,  3)  /*  In  place  of  {a,  b,  nb}s^as)  *! 

Msg  A.b^  I{s)\  {a,  b,  {nb,  3), 

Msg  5.  /(s)  — >  5  :  {a,  b,  nb,  3}gm,s)  /*  using  CBC  inf  rule  on  Msg  4.  */ 

This  attack  works  because,  an  attacker  can  infer 
{a,  b,  nb,  3}sh(bs)  from  Msg  4  ({a,  b,  {nb,  3),  2}s/j(f,^))  us¬ 
ing  the  CBC  inference  rule. 

Note  that  according  to  Heather  et  al.,  if  there  is  an  at¬ 
tack  on  a  protocol  using  component  numbering,  there  is  also 
an  attack  on  the  protocol  when  using  their  original  tagging 
scheme  (although  it  is  doubtful  whether  the  result  applies 
for  inference  rules  outside  the  standard  set). 
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